Data management

ABSTRACT

A package is provided for use with a track-and-trace data management system. The package comprises a base defining a plurality of compartments, each compartment containing an item, and a cover enclosing the compartments to retain each item inside a respective compartment. Each item carries a unique item code, and the package includes at least one unique security code. The relationship between the unique item code and the at least one unique security code is maintained by the data management system.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Application No.60/969,837 entitled “Data Management” and filed on Sep. 4, 2007, theentire contents of which are hereby incorporated by reference herein.

BACKGROUND

There are many applications that involve managing a vast amount of data.One particular area involves tracing pharmaceuticals through a supplychain from manufacture through delivery to the end user. Given theprevalence of counterfeiting, and the health risks associated withcounterfeit medications, tracing pharmaceuticals through a supply ordistribution chain has now assumed added importance. In addition to suchtrack and trace applications, data management may also be required forauthentication of items containing security features, even if the itemsare not being tracked.

Track-and-trace functionality can be implemented by adding a securityfeature to the packaging of pharmaceuticals. However, this only allowsthe package to be traced and authenticated, not individualpharmaceuticals within the package.

Conventionally, many pharmaceuticals are shipped in bulk and thenre-packaged at a pharmacy or other distribution center (e.g., factory,mail-order facility, and the like), either manually or by using arobotic dispenser. In this scenario, marking of an individualpharmaceutical (that is, a unit dose) for track-and-trace requires theuse of a part, tag or other indicator that has been approved as aningestible by the Food and Drug Administration (FDA). Obtaining suchapproval is difficult and expensive, requiring large-scale toxicologytesting.

It would be advantageous to be able to use parts that have already beenapproved by the FDA to implement track-and-trace at the individualpharmaceutical (that is, unit dose) level.

SUMMARY

According to a first aspect of the invention there is provided a packagecomprising: a base defining a plurality of compartments, eachcompartment containing an item; and a cover enclosing each of thecompartments to retain each item inside a respective compartment,wherein each item includes or otherwise carries a unique item code andthe package includes or otherwise carries at least one unique securitycode, and where the relationship between each unique item code and theat least one unique security code is maintained by a database.

The items may comprise pharmaceuticals.

The package cover may comprise a frangible cover, such as is commonlyused in a blister pack, for example a foil sheet.

The package may include a unique security code associated with eachcompartment. The code may be located within the compartment (forexample, on an inside surface of the cover or on an inside surface ofthe compartment), or outside the compartment (for example, on an outsidesurface of the cover or on an outside surface of the compartment). Thecode may be applied by any suitable mechanism, for example, printing,application of a label, or the like. Where a unique security code isassociated with each compartment, a database can be used to validateevery pharmaceutical in the package, thereby enabling unit leveltrack-and-trace for pharmaceuticals.

The unique security code is preferably machine-readable. The unique itemcode may also be machine-readable.

The unique item code carried by each item may be created by a laserbeam. For example, the system provided by Datalase (trade mark) of Unit3, Wheldon Road, Widnes, Cheshire, WA8 8FW may be used to write a uniquebarcode (such as a 2D barcode) on each item. Such a barcode may includeinformation relation to the manufacturer, the place of manufacture, thetype of pharmaceutical, the typical dosage, an expiry date, a uniqueserial number, and the like.

The unique item code may include the name of a pharmaceutical, dosageinformation, a unique serial number, and the like. For items other thanpharmaceuticals, the unique item code may include any similarlyidentifying and/or other convenient information. Depending on theembodiment, the unique item code may be the same for a particular typeof item (e.g., a particular pharmaceutical), and/or it may differ withindividual instances of the item (e.g., with each pill of a particularpharmaceutical).

The base may comprise a plastic, such as a plastic approved by the FDAfor use with pharmaceuticals.

The base may be optically transparent to allow a reader to read theunique item code and the associated unique security code by aligning thereader with a compartment.

The two codes (the item code and the security code) may be readsimultaneously, nearly simultaneously, or sequentially.

Each item may have its respective item code created prior or subsequentto enclosure of that item in the package. If an item has its item codecreated subsequent to enclosure in the package, then a low power carbondioxide laser may be used to write through a plastic base material.

The unique security code may comprise a luminophore, such as a silicamatrix enclosing: a lanthanide, a dye, a quantum dot, or the like. Asused herein, a luminophore is an atom or atomic grouping in a chemicalcompound, or part of a molecular entity, that manifests luminescence or,in some embodiments, more particularly, photoluminescence.

The unique security code may be provided by a covert ink. Where a covertink is used, the code may be implemented as an invisible barcode, forexample, photoluminescing in the near infra-red region of theelectromagnetic spectrum.

The unique security code may comprise a barcode (such as a 2D barcode).

In a preferred embodiment, each item is marked with a DataLase (trademark) Pharmamark (trade mark) coating.

In a preferred embodiment, each compartment is conformably molded aroundan item, so that the item does not move substantially during transport.

By virtue of this aspect of the invention, it is possible to implementtrack-and-trace of individual pharmaceuticals using substances that havealready been approved by the FDA.

According to a second aspect of the present invention there is provideda data management system comprising: a data store for storing at leastone entry, the entry including (i) information associated with an itemin a multi-compartment package, and (ii) information about a securityfeature associated with that item; an authenticator operable to accessthe data store in response to a request from a remote reader andincluding (i) a reader validator to authenticate the remote reader, and(ii) a security feature validator to authenticate a security featureread by the remote reader and also operable to issue an authenticityconfirmation in the event that a security feature is successfullyvalidated; and a port for coupling the remote reader and theauthenticator to enable requests to be transmitted from the remotereader to the authenticator and responses to be transmitted from theauthenticator to the remote reader.

The data management system may also include a security gateway incommunication with the port to protect the port against unauthorizedaccess.

The term “data store” is used herein in a generic sense, and is intendedto cover databases and other computing structures organized and arrangedfor storing and providing access to data.

The at least one data store entry may further include (iii) informationabout remote readers permitted to request authentication of that item.This information may be included directly in an entry or by a referenceto another entry. This information may include the identity and locationof remote readers permitted to request authentication of that item.

The identity and location of remote readers may be added to the item'sdata store entry (either directly or by a reference link) each time theitem is authenticated. This enables the data management system tosupport a track and trace function. This allows an authorized user ofthe data store to ascertain where and when each item has beenauthenticated.

The information about remote readers permitted to request authenticationof an item may be stored in a separate data store and linked to theappropriate entry for that item. The data store may comprise multipledata storage nodes (for example, organized in a cluster).

The data management system may be implemented as a cluster and mayinclude a plurality of data stores, and have a plurality ofauthenticators (each an authentication node).

The identity information may include information about a hardwarecomponent within the remote reader, for example, a MAC address of anetwork connection (such as an Ethernet adapter); alternatively, theidentity information may be a pre-assigned code unique to each remotereader.

The information associated with an item may include a description of theitem, a serial number of the item, a place of manufacture of the item,and such like. Where the item includes a barcode, the informationassociated with the item may include the information stored by thebarcode (either in full form or as a hash for computational speed andstorage efficiency). Where a UPC (Universal Product Code) barcodesymbology is used (e.g., UPC-A/UCC-12), the UCC (Uniform Code Counsel)Company Prefix from the barcode may be stored in the item's data storeentry. Likewise, the Item Reference from such a barcode may be stored inthe item's data store entry. In such case the UCC Company Prefix and/orItem Reference may be used as the unique index to access the appropriateentry from the data store. This is particularly useful in embodimentswhere all items recorded in the data store have associated barcodes.

The information associated with the item may include a globalidentification in addition, or as an alternative, to the UCC CompanyPrefix and/or Item Reference. A global identification is useful if thereare customers who do not use barcodes to label items; for example, if asmall item, such as a pharmaceutical is tagged with a security feature.

The information about a security feature associated with that item mayinclude a representation of a unique spectral signature. Therepresentation may be a series of pairs of numbers (e.g., one numberrelating to wavelength (or frequency), the other number relating tointensity or rate of change of intensity of emission at thatwavelength), a unique code representing the spectral signature, or suchlike. Thus, the data store may store raw wavelength versus intensitydata for a security feature, or a representation of this raw data. Theunique spectral signature may be processed, for example, usingalgorithms, to derive a unique code or to transform the spectralsignature to raw intensity and wavelength data. Alternatively, where anon-luminescent security feature is used, for example, RFID, theinformation may include unique data associated with that securityfeature.

As used herein, a spectral signature refers to aspects of luminescencefrom a security feature or group of security features that are unique tothat feature or group of features. These aspects may include one or moreof: presence or absence of emission at one or more wavelengths; presenceor absence of a peak in emission at one or more wavelengths; the numberof emission peaks within all or a portion of the electromagneticspectrum comprising, for example, ultraviolet radiation to infraredradiation (e.g., approximately 10 nm to 1 mm); rate of change ofemission versus wavelength, and additional derivatives thereof; rate ofchange of emission versus time, and additional derivatives thereof;absolute or relative intensity of emission at one or more wavelengths;ratio of an intensity of one emission peak to an intensity of anotheremission peak or other emission peaks; the shape of an emission peak;the width of an emission peak; or such like.

The information about a security feature associated with that item mayinclude information about the entity to which the unique spectralsignature is assigned. This may include the name of the entity (forexample, a company name, a government name, a name of an authorizedissuing body, or such like) to which the spectral signature is assigned,or a code referencing the name of the entity.

The information about a security feature associated with that item mayinclude information indicating the type of security feature used, (forexample, lanthanide-doped silica, a dye, quantum dots, RFID, and suchlike).

The security feature may be a luminophore, such as a silica matrixenclosing: a lanthanide, a dye, a quantum dot, or the like. As usedherein, a luminophore is an atom or atomic grouping in a chemicalcompound, or part of a molecular entity, that manifests luminescence.

In typical embodiments, the security feature validator may beimplemented in software.

The security feature validator may implement algorithms for transformingthe unique spectral signature and/or transforming data received from theremote reader.

The security feature validator may authenticate a security feature readby the remote reader by processing data transmitted by the remote readerand comparing the processed transmitted data with the data store entryfor that item. In particular, the security feature validator may comparethe processed transmitted data with the stored information about asecurity feature associated with that item.

The reader validator may authenticate the remote reader by validatingthe identity of the remote reader, for example, by verifying that theremote reader has used the appropriate encryption key and protocols toaccess the data management system, and/or by verifying that the remotereader is listed as a permitted remote reader in the data store (eitherdirectly or by a reference to another data store).

The authenticity confirmation may comprise the following fields: acustomer identification field (comprising a global identification and/orthe UCC Company Prefix), a reader identity field, a request successfulfield, a unique system identification field, a timestamp field, and aunique transaction identifier field.

The unique system identification field may be populated by a uniquenumber stored in firmware at the data management system. This uniquenumber may be a pre-stored number assigned by the owner of the datastore, a number associated with a hardware component, such as a MACaddress of a network adapter of the system, or such like. This uniquenumber may be added to each authenticity confirmation that is issued toallow the remote reader that requested authentication of a securityfeature to confirm the identity of the data management system (that is,the remote reader can use the unique system identification toauthenticate the data management system).

The data management system may implement a timestamp by maintaining atimer using an offset from a known base, incremented by ticks based on aclock signal. The data management system may populate the timestampfield with the current value of the timestamp when the authenticityconfirmation is being prepared.

A remote reader may store a timestamp from the last authenticityconfirmation received to ensure that a timestamp received from a currentauthenticity confirmation is later than the stored timestamp. Byapplying a timestamp to each authenticity confirmation, and ensuringthat a subsequent authenticity confirmation has a later timestamp thanthe previous authenticity confirmation, replay attacks can be avoided,or at least greatly reduced.

An authentication request having the same customer identification,remote reader identification, and timestamp automatically causes theauthentication request to fail because it is treated as a replay attack.

The authenticator may increment a transaction identifier counter aftereach authenticity confirmation, thereby providing additional securityagainst replay attacks.

An authenticity confirmation may be in the form of a certificate ofauthenticity that can be transmitted to and automatically processed byother computer systems, in a similar way to how a public key encryptioncertificate is provided by Web sites.

The authenticator may be operable to update a customer's entry (or toadd sub-entries thereto) for an item to indicate each occasion on whichthat item is validated by the data management system. The authenticatormay also update the customer's entry for an item to include the locationof the remote reader that requested authorization of the customer'sitem. The data management system may populate a separate tracking datastore (referenced by the customer's entry) that can be used to providetrack and trace information. The decision on whether to use a separatedata store or not is based on the preferences of the owner of the datamanagement system.

The authenticator may be operable to create a log file for eachauthentication failure. The authenticator may include an exceptioncondition that triggers a notification process in the event of anauthentication failure. The notification process may inform the owner ofthe data store and/or the customer associated with the item about thefailure to authenticate. The notification process may include detailsabout whether the remote reader was authorized and whether the securityfeature was authorized.

The port may include a customer interface to allow the customer to sendrequests to the data store. The customer interface may be a Web frontend to a SQL database management system, or any other convenientinterface to allow a customer to make pre-defined requests.Alternatively, the contents of the data store may be mirrored (orotherwise transferred) to a separate system (a customer request system),and the customer request system may include a customer interface toallow the customer to send requests relating to the transferred data.This has the advantage of removing a potential security risk by having acustomer interface in the data management system. The customer requestsystem may be implemented by a query database.

The data management system may allow a customer to request a list of allauthentications requested by readers, including any authenticationrequests that were not successful.

The port may comprise a plurality of different logical and/or physicalconnections. The port may implement Web technologies, and be accessiblethrough a Web connection.

The security gateway may include one or more conventional firewalls (forexample, based on proxy servers) and conventional load balancers. Thefirewalls scan incoming requests to ensure that no viruses or worms arepresent, and to ensure that the system is not probed. As firewalls andload balancers are well known to those of skill in the art, they willnot be described in detail herein.

The authenticator may include a parameter issuing object that issuesparameters to a remote reader to instruct the remote reader about whatparameters to apply when reading the security feature and/or processingdata read from the security feature. The parameter issuing object mayissue a reader control command having a data structure comprising: acustomer identification field (comprising a global identification and/orthe UCC Company Prefix), a reader identity field, an algorithmidentification field (referencing an algorithm stored by the remotereader), algorithm parameter fields (including any parameters needed bythe referenced algorithm), a unique system identification field, atimestamp field, and a unique transaction identifier field. Theparameter issuing object may be used to control the remote readers andmake it more difficult to simulate the response of a security feature.

A request from a remote reader may be stored in non-volatile memory andthen erased when actioned by an authenticator node (either by issuing anauthenticity confirmation if validated, or by responding with a failuremessage if not validated); thereby ensuring a response is issued, evenif a node fails. The failure message may include limited information,for example, it may not include the unique system identification fieldor any other details that may help a criminal to deduce informationabout the data management system.

By virtue of this aspect of the invention a highly secure datamanagement system is provided that can be used for authenticatingsecurity features and also for track and trace applications.

According to a third aspect of the present invention there is provided amethod of managing data, the method comprising: storing in a data storefor each item in a multi-compartment package information (e.g., data)associated with (i) that item, and (ii) a security feature associatedwith that item; receiving a request from a remote reader where therequest includes data read from a security feature and data read from anitem associated with that security feature; processing the read data toderive an index for accessing a relevant entry in the data store;accessing the data store using the derived index; comparing the readdata with stored data for that index; and generating an authenticityconfirmation in response to a match.

The method may comprise the further step of authenticating the remotereader.

Additionally, the method may comprise the further step of processing theread data to derive data associated with the item and the associatedsecurity feature, and the step of comparing the derived data with storeddata for the derived index in addition to, or in lieu, of the step ofcomparing the read data with stored data for the derived (re. “that”)index.

The step of storing information (e.g., data) about an item may includestoring information derived from reading a spatial code on the item,such as a barcode. Such information may include a customer number (e.g.,a UCC Company Prefix), an item or product number (e.g., Item Reference),and the like, as provided for by one or more utilized barcodesymbologies (e.g., UPC-A/UCC-12).

The step of authenticating the remote reader may include confirming thata unique number provided by the remote reader (the reader identificationnumber) is associated with the customer number provided by the remotereader.

According to a fourth aspect of the present invention there is providedan authentication system for authenticating an item, the systemcomprising: a data management system according to the second aspect ofthe invention, and at least one remote reader coupled to the datamanagement system, the remote reader comprising: (i) a security module,and (ii) a read engine for reading an item code carried by an item and asecurity code associated with that item code.

The security module may include an encryption unit. Additionally, thesecurity module may be tamper responsive for destroying any storedencryption data (such as keys, algorithms, or such like) in the eventthat the security module is tampered with. Tamper responsive featurestypically detect any attempt to disassemble or penetrate a securitymodule, for example, by detecting penetration of a conducting meshsurrounding the unit, by detecting removal of screws or other fixturesholding the unit together, or by detecting cutting of any data-carryingwires. Tamper responsive features are typically connected to an erasepin on a non-volatile memory storing encryption data.

The security module may include a unique identification, which may beconveyed to the data management system as part of an authenticationrequest, to allow the remote reader to be identified by the datamanagement system.

Prior to removing an individual item from the package, a consumer canvalidate the authenticity of the item using the authentication system.When the item code and associated security code are scanned by thereader, the data management system can create additional records thattie the identity of an item dispensed to the identity of the person towhom the item is dispensed. This allows any problems with lots orbatches of pharmaceuticals to be matched directly to the consumers ofthose pharmaceuticals. Such a person may be identified throughassociation with a unique reader used to scan the item and associatedsecurity code, and/or through entry of one or more of unique numeric,biometric, card scan or other information through use of one or more ofa numeric keypad, biometric input device and/or card scanner associatedwith the reader, and the like

According to a fifth aspect of the present invention there is provided asecure reader for reading a spatial code and a security feature, thesecure reader comprising: (i) a security module, and (ii) a read enginefor reading both an item code carried by an item, and a security codeprovided on a package for or, more preferably, containing that item.

The security module may be operable to transmit a unique readeridentification each time an authentication request is sent to a remotedata management system.

The security module may include an encryption unit. Additionally, thesecurity module may be tamper responsive for destroying any storedencryption data (such as keys, algorithms, or such like) in the eventthat the security module is tampered with. Tamper responsive featurestypically detect any attempt to disassemble or penetrate a securitymodule, for example, by detecting penetration of a conducting meshsurrounding the unit, by detecting removal of screws or other fixturesholding the unit together, or by detecting cutting of any data-carryingwires. Tamper responsive features are typically connected to an erasepin on a non-volatile memory storing encryption data.

The security module may include a unique identification, which may beconveyed to the data management system as part of an authenticationrequest, to allow the remote reader to be identified by the datamanagement system.

The security module may store a plurality of controlling and/orprocessing algorithms which can be selectively used to read the securityfeature or to process data read from the security feature. Thealgorithms may have associated parameters stored by the security module,including read delay time (time delay between exciting a securityfeature and reading the luminescence emitted in response to thatexcitation, integration time, spectral range (that is, the wavelengthrange over which a luminescence spectrum is recorded), spectralresolution (that is, the number of discrete sample points read within aspectral range), and such like. The associated parameters may beincorporated (for example, hard coded) into the algorithms, or they maybe stored separately from the algorithms, so that the data managementsystem can transmit updated parameters to the secure reader for use withthe algorithms already stored in the secure reader. The parameters mayinclude reading parameters that control how the secure reader reads asecurity feature, and processing parameters that control how the securereader processes data read from a security feature. The data managementsystem may select a particular algorithm to be used by a secure readeron a scheduled or randomized basis.

The security module may include a clock generator, and may also includea timestamp generator.

The secure reader may include a global positioning system (GPS) receiverto allow the reader to provide the data management system with detailsof the reader's current position. In operation, the GPS receivercontinually determines its position. Periodically, the data managementsystem may send a packet request to the reader which asks for thereader's unique hardware identification ID (which may be a MAC addressof a communications adapter), the current latitude/longitude, and a GPStimestamp and a timestamp from the timestamp generator.

The GPS timestamp may be used to calibrate the timestamp from thetimestamp generator. If the times (which are incremented as ticks from aknown base) do not match, then the secure reader may have beencompromised.

The latitude and longitude (that is, the position of the secure reader)are determined from a GPS Course Acquisition (CA) signal, which has acurrent accuracy of 100 meters. As the CA accuracy increases with newerGPS receivers, the positional accuracy will also increase.

An altitude value may also be provided to indicate where in a building(what floor) the secure reader is located.

These periodic readings may be stored in the data store of the datamanagement system. If there is a change in the readings without acorresponding re-registration request from the secure readerincorporating the GPS receiver, then the data management system mayexecute a trigger to notify the owner of the data management system.Such readings may be taken daily, although the frequency of suchreadings may depend on the service level requested and paid for by thecustomer.

In addition to periodic readings, the data management system may takereadings during initial registration of a secure reader.

The secure reader may be operable to upload data from a security featurefor storing with a data management system. The reader may use anassociation request having a data structure comprising: a customeridentification field (comprising a global identification and/or the UCCCompany Prefix), a reader identity field, a function request fieldindicating that the desired function is to store security feature datain the data store, a timestamp field, and spectral data fields. Thespectral data fields may include the number of bytes of data to be sent,the spectral resolution, the number of points sampled, the actualspectral data (which may be sent as multiple packets of data), and suchlike.

The secure reader may be operable to read a plurality of spatial codesin a single operation and also to read a plurality of security featuresin a single operation, and to link each read spatial code with itscorresponding security feature.

The secure reader may be operable to prepare and communicate aregistration request to the remote data management system so that thedata management system can register the secure reader as active.

The secure reader may include an auxiliary cryptographic device thatenables the reader to be authenticated prior to allowing any software tobe downloaded or updated. The auxiliary cryptographic device may be adongle, a smart card, or the like.

The auxiliary cryptographic device may store a unique code that istransmitted to the remote data management system by the secure reader aspart of the registration request. The secure reader may transmit ade-registration request to the remote data management system if theauxiliary cryptographic device is removed, or if the unique code is notprovided by the auxiliary cryptographic device. If the auxiliarycryptographic device is replaced, then the secure reader may have tore-register with the remote data management system. The remote datamanagement system may compare current information transmitted by thesecure reader as part of the re-registration request with informationtransmitted prior to de-registering the auxiliary cryptographic device.This information may include location information in addition toinformation relating to the identity of the secure reader, for example,a MAC address and hardware serial numbers. If the current information isconsistent with the information transmitted prior to de-registering theauxiliary cryptographic device then the data management system mayre-register the secure reader.

The initial registration of a secure reader may compare information(except for location) that was recorded at the time of manufacture ofthat secure reader.

The read engine may include a first component for reading the item codecarried by the item, and a second component for reading a security codeprovided on a package for or, more preferably, containing that item. Thefirst and second components may be mounted for reading from only oneside of the package. Alternatively, the first and second components maybe mounted on opposing sides of a bifurcated reader so that the readengine may be used for reading opposing sides of the package.

According to a sixth aspect of the present invention there is provided adata management system for tracking an item, the system comprising: adata store for storing at least one entry, the entry including (i)information identifying an item, and (ii) information about a securityfeature associated with that item; an authenticator operable to accessthe data store in response to a request from a remote reader andincluding (i) a reader validator to authenticate the remote reader byascertaining the identity and location of the remote reader, and (ii) asecurity feature validator to authenticate a security feature read bythe remote reader and to issue an authenticity confirmation in the eventthat a security feature is successfully validated; a tracker formaintaining a record in the data store of each occasion on which theitem is authenticated and the location of the remote reader thatrequested authentication of that item; and a port for coupling theremote reader and the authenticator to enable requests to be transmittedfrom the reader to the authenticator and responses to be transmittedfrom the authenticator to the reader.

The data management system may include a security gateway incommunication with the port to protect the port against unauthorizedaccess.

By virtue of this aspect of the invention, an item can be traced frommanufacture through a supply chain or distribution chain, therebyproviding authenticated track and trace functionality.

According to a seventh aspect of the invention there is provided amethod for charging for secure data management and item authentication,the method comprising: charging an initiation fee to a customer tocreate an entry for an item owned or manufactured by the customer,charging an annual maintenance fee to maintain the entry for thecustomer; charging an authentication fee each time the customer requestsauthentication of the item.

The method may include the further step of charging a lease fee to acustomer for each secure reader the customer leases, where a securereader is required to request authentication of an item.

The method may include charging the customer on a per byte basis.

The method may include charging an additional fee to issue updatedconfiguration parameters to secure readers to instruct the securereaders about how to operate.

The method may include charging the customer for a track and tracereport for an item, the track and trace report being generatedautomatically and including details of when the item was authenticated,and the identity and location of secure readers that requestedauthentication of the items.

According to an eighth aspect of the invention there is provided amethod of charging a customer for secure data management and itemauthentication, the method comprising: providing the customer withsecure readers for reading security features applied to items, licensinga data management system to a customer for the customer's use, andcharging a license fee based on the number of authentications performedin a specified time period.

The specified time period may be daily, weekly, monthly, quarterly,annually, or such like.

The method may include the step of charging a fee to the customer forsecurely populating the data management system with security featureinformation.

According to a ninth aspect of the invention there is provided a methodof marking an item to allow validation and tracing of that item, themethod comprising: providing a package having an optically transparentbase defining a plurality of compartments; inserting individual itemsinto each of the compartments; writing a unique item code on each item;and applying a unique security code in registration with eachcompartment, to allow association of the item code and the security codefor each compartment.

In some embodiments, a method of marking items and packaging thereof isprovided, the method comprising: providing a package having an opticallytransparent base defining a plurality of compartments; inserting anindividual item into each of the plurality of compartments; applying aunique item code to each individual item; and applying a unique securitycode to each compartment. The method may comprise the further step ofassociating the unique item code for each individual item with theunique security code for the compartment into which the respective itemis inserted. Depending on the embodiment, applying a unique item code toeach individual item and/or a unique security code to each compartmentmay comprise writing, printing, etching, labelling, adhering, and thelike, the unique item code and/or the unique security code to therespective item and/or compartment. Likewise, in some embodiments, theunique security code may be applied in registration with the unique itemcode to allow simultaneous or near simultaneous reading of the uniqueitem code and the unique security code.

According to a tenth aspect of the invention there is provided a packagecomprising: a sealed container defining an optically transparent portionand including at least one unique security feature; and an item locatedwithin the container, and carrying a unique item code, where the itemcode is aligned with the optically transparent portion to facilitatereading of the item code from outside the package; wherein a remotedatabase stores the relationship between the unique security feature andthe unique item code to allow authentication of the item.

The item may be a pharmaceutical, a medical device (such as a stent, apacemaker, a surgical instrument, or the like), an electronic component(such as a microprocessor, a resistor, or the like), a mechanicalcomponent (such as a brake pad) or the like.

An embodiment of the present invention will now be described, by way ofexample, with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

In the accompanying drawings:

FIG. 1 is a block diagram illustrating a networked authentication systemincluding a data management system according to one embodiment of thepresent invention;

FIGS. 2A and 2B are schematic plan and elevation views respectively of asemiconductor microprocessor incorporating a security feature;

FIG. 3 is a schematic diagram of a part (a secure reader) of thenetworked authentication system of FIG. 1;

FIG. 4 is a block diagram of a part (a read engine) of the secure readerof FIG. 3;

FIG. 5 is a block diagram of another part (a secure module) of thesecure reader of FIG. 3;

FIG. 6 is a diagram illustrating the data typically stored in an entryfor an item in the data store of FIG. 1;

FIG. 7 is a flowchart illustrating the steps involved in registering asecure reader of FIG. 3 with the data management system of FIG. 1;

FIG. 8 is a flowchart illustrating the steps involved in populating anentry in the data management system of FIG. 1 that associates a securityfeature with a spatial code;

FIG. 9A is a diagram illustrating the format of an association requestpacket sent from the secure reader of FIG. 3 to the data managementsystem of FIG. 1;

FIG. 9B is a diagram illustrating the format of association data packetssent with an association request packet from the secure reader of FIG. 3to the data management system of FIG. 1;

FIG. 10 is a flowchart illustrating the steps involved in authenticatingan item (a microprocessor) using the data management system of FIG. 1;

FIG. 11 is a diagram illustrating the format of an authenticationrequest sent from the secure reader of FIG. 3 to the data managementsystem of FIG. 1;

FIG. 12 is a diagram illustrating the format of an authenticityconfirmation sent from the data management system of FIG. 1 to thesecure reader of FIG. 3;

FIG. 13 is a diagram illustrating the format of a reader control commandsent from the data management system of FIG. 1 to the secure reader ofFIG. 3;

FIG. 14 is a perspective drawing of a package according to anotherembodiment of the present invention;

FIG. 15 is an underside plan view of the package of FIG. 14; and

FIG. 16 is an enlarged view of a portion of the package of FIGS. 14 and15.

DETAILED DESCRIPTION

Reference will now be made to FIG. 1, which is a networkedauthentication system 8 including a data management system 10 accordingto one embodiment of the present invention.

Structure of Networked Authentication System

The data management system 10 comprises a transaction database 11 aselectively coupled to a query database 11 b.

The transaction database 11 a comprises: a data store 12 coupled to aninterface 14 via an authenticator 16.

The data store 12 comprises a plurality of storage nodes 12 a, 12 b, . .. 12 n, each storage node having a plurality of storage areas 12 a ₁, 12a ₂, . . . 12 a _(n). Each storage area can store a large number ofentries relating to items to be authenticated.

The authenticator 16 comprises a plurality of authenticator nodes 16 a,16 b, . . . 16 n (one of which will be referenced as 16 _(x)), eachcoupled to shared resources 18. Each authenticator node 16 includes asecurity feature authenticator 20, a secure reader authenticator 22, anda customer authenticator 24. The shared resources 18 include processes,files, data, objects, and hardware that are used by the authenticatornodes 16 _(x). As shown in FIG. 1, the shared resources 18 comprise: atimestamp generator 26 continually incrementing from a known base, a logfile 28 for recording any failed authentication attempts, non-volatilestorage 30 for storing authentication requests until accessed andactioned by an authentication node 16 _(x), a unique systemidentification 32 for identifying the data management system 10, anobject repository 34 containing various objects accessible by theauthentication nodes 16 _(x), as will be described in more detail below,and a transaction identifier counter 36 that is incremented each time asuccessful authentication is performed by the security featureauthenticator 20.

The interface 14 comprises: a port 40 supporting logical and physicalconnections to allow remote components to access the data managementsystem 10, a reader interface 44 for allowing authorized remote readersto request authentication of a security feature read by the remotereaders, a security gateway 46 implementing firewalls for securing theinterface 14 against unauthorized access, and a load balancer 48 tooptimize use of the authenticator nodes 16 _(x).

The query database 11 b comprises: an interface 14 b including a port 40b (similar to port 40), and a customer interface 42. The port 40 bincludes a security gateway (not shown) implementing firewalls forsecuring the interface 14 b against unauthorized access. The querydatabase 11 b also includes a store 80 including a plurality of storageareas (82 a to 82 n).

The query database 11 b can periodically be coupled to the transactiondatabase 11 a (illustrated by broken line 84) to transfer some or all ofthe contents of the data store 12 from the transaction database 11 a tothe query database 11 b. The customer interface 42 may be disconnectedwhen this occurs to isolate the transaction database 11 a from possibleattacks through the customer interface 42.

The contents of the data store 12 are typically transferred from thetransactional database 11 a to the query database 11 b using an extract,transform, and load command (ETL command). The transactional database 11a stores current data and is optimized for executing transactions (suchas authentication requests); whereas, the query database 11 b may storehistorical data to allow an owner or a customer to execute queriescovering a long time period.

Once the required contents of the data store 12 have been transferred tothe query database 11 b, the customer interface 42 is re-connected toallow customers to access the query database 11 b and run permittedqueries against the stored data.

Reference will now also be made to FIGS. 2A and 2B, which are schematicplan (FIG. 2A) and elevation (FIG. 2B) views of a semiconductormicroprocessor 100.

FIG. 1 illustrates three different facilities coupled to the datamanagement system 10: a manufacturing plant 50 that makes semiconductormicroprocessors 100 of the type shown in FIGS. 2A and 2B, a distributionfacility 60 that receives the manufactured microprocessors 100 and shipsthem to customers, and a headquarters 70 of the company that designs andmanufactures the microprocessors 100.

The manufacturing plant 50 includes a plurality of secure readers 52,only three of which are shown, each of which can connect to the readerinterface 44 in the data management system 10 via a concentrator 54within, or accessible from, the manufacturing plant 50. Similarly, thedistribution facility 60 also includes a plurality of secure readers 62,again, only three of these are shown in FIG. 1, and each of which canconnect to the reader interface 44 in the data management system 10 viaa concentrator 64 in the distribution facility. The company headquarters70 includes a computer system 72 having access to the customer interface42 of the data management system 10.

The microprocessor 100 comprises a packaged component having an uppersurface 102 surrounded on four sides by connector pins 104 (only a fewof which are labelled) for allowing the microprocessor to be insertedinto a motherboard socket. The upper surface 102 has a two-dimensional(2D) barcode 106 laser etched thereon. A security feature 110 (best seenin FIG. 2B) comprising lanthanide-doped silica particles suspended in anoptically transparent ink is applied on top of, and in registrationwith, the 2D barcode 106. The security feature 110 acts as a securityseal for the barcode, and can be read simultaneously (or nearsimultaneously) with the 2D barcode 106.

The lanthanide-doped silica particles can be fabricated using anyconvenient method. One way of making lanthanide-doped particles isdescribed in US patent application number 2004/0262547, entitled“Security Labelling,” and US patent application number 2005/0143249,entitled “Security Labels which are Difficult to Counterfeit”, both ofwhich are incorporated herein by reference.

Reference is now also made to FIG. 3, which is a schematic diagram ofone of the (identical) secure manufacturing readers 52 shown in FIG. 1,and also to FIGS. 4 and 5, which are block diagrams showing parts of thesecure reader 52 in more detail. Each secure reader 52 is located withinthe manufacturing plant 50 and connects to the data management system 10via a concentrator 54 that handles the communications with the readerinterface 44.

The secure reader 52 is a modified conventional 2D barcode scanner, suchas those available from Symbol Technologies, Inc. (trade mark) orMetrologic Instruments, Inc. (trade mark). The secure reader 52comprises: a scanning window 120; a conventional 2D barcode imager 122aligned with the scanning window 120; associated control electronics 124for activating the conventional imager 122 (in response to a userdepressing a trigger 126) and processing data received from the imager122; an LCD panel 128 for outputting information to the user (such asinformation from an item read by the scanner, the status of the scanner,and such like); a function button 130 for controlling the function ofthe secure reader 52; internal connections 132 for interconnecting thevarious components within the secure reader; a communications module 134(including a unique hardware identification in the form of a MACaddress) implementing a cable or wireless connection to the concentrator54; a security feature read engine 140 for reading the security feature110 carried by a microprocessor 100; and a security module 150 coupledto the security feature read engine 140.

The read engine 140 (best seen in FIG. 4, which is a block diagramillustrating the read engine 140 in more detail) includes a spectrometer142 for detecting luminescence in the visible and near infra-red regionsof the electromagnetic spectrum, and an excitation source 144 in theform of LEDs disposed on opposing sides of the spectrometer 142 andemitting in the ultra-violet region of the electromagnetic spectrum. TheLEDs 144 are coupled to the security module 150 by power lines 146, andthe spectrometer 142 is coupled to the security module 150 by power anddata lines 148.

The security module 150 (best seen in FIG. 5, which is a block diagramillustrating the security module 150 in more detail) comprises a sealedhousing 152 in which the following components are mounted: controlelectronics 154 for driving the security feature read engine 140 and forprocessing data received therefrom; a conventional cryptographicprocessor 156 to support encrypted communication with the concentrator54; non-volatile storage 158 for storing encryption keys and/orencryption algorithms and the unique system identification 32 of thedata management system 10; a security membrane 160 (illustrated by abroken line in FIG. 5) disposed around an inside surface of the housing152 and coupled to tamper switches 162 that activate an erase line ofthe non-volatile storage 158 when the membrane 160 is penetrated ordisturbed, thereby destroying any stored encryption data (such as keys,algorithms, or such like) in the event that the security module 150 istampered with. An internal bus arrangement 164 is also provided tofacilitate communications within the housing 152, and a communicationadapter 166 is provided to facilitate communications between thesecurity module 150 and the other components of the secure reader 52.

The control electronics 154 includes a clock 166, and a timestampgenerator 168 that maintains a timer using an offset from a known base,incremented by ticks based on the clock 166. The control electronics 154also accesses and executes from the non-volatile storage 158interrogation parameters 170 and processing algorithms 172.

An externally-accessible port 174 is provided to allow an auxiliarycryptographic device 176 (a dongle) to be coupled to the secure module150.

Referring again to FIG. 1, the distribution facility readers 62 are verysimilar to the manufacturing facility readers 52, the main differencebeing that the distribution facility readers 62 do not support entrycreation mode, as will be explained in more detail below.

Operation of Networked Security System

Operation of the networked security system will now be described. Thereare four main operations that the networked security system can perform:(i) registration of remote readers 52, 62, (ii) association of securityfeatures with barcodes, (iii) authentication of items (such as themicroprocessor 100), and (iv) control of the remote readers 52, 62 bydownloading parameters from the data management system 10.

Prior to describing these operations, the general structure of an entryin the data store 12 will be described, with reference to FIG. 1 andFIG. 6, which is a diagram illustrating the data typically stored in anentry for an item.

In FIG. 6, an entry 180 comprises four main categories of information:customer identification information 182, item information 184, securityfeature information 186, and remote reader information 188.

The customer identification information 182 includes fields for a globalcustomer identification and for a UCC Company Prefix from a 2D barcode.The global customer identification is assigned by the owner of the datamanagement system 10, and is unique for each customer. The customeridentification information may include additional fields not listedherein.

The item information 184 includes fields for a description of the item(for example, a microprocessor), a serial number and/or part number ofthe item, a location where the item is manufactured and/or distributed,and information from a barcode on the item. Additional or differentfields may be provided depending on the particular item, the applicationand/or industry that item will be used in, and the value of that item.

The security feature information 186 includes fields indicating the typeof security feature (optical, magnetic, radio-frequency, or such like),and data representing the security feature. The data representing thesecurity feature may be raw data, or some transformation of the rawdata. In this embodiment, the security features used are optical, andthe data representing the security feature is raw data stored in pairsof data points, namely, intensity and wavelength for each wavelength ofinterest. The security feature information 186 may be populated by theowner when a security feature 110 is assigned to a customer, or it maybe populated by the customer uploading the security feature informationusing the readers 52.

The remote reader information 188 includes fields indicating theidentity and/or location of those readers 52, 62 that are permitted torequest authentication of that item (that is, the item listed in theentry 180). These fields may include that information directly, or theymay provide a link to another storage area 12 a _(x) or storage node 12x that stores such information. In this embodiment, the remote readerinformation 188 provides a link to a storage node 12 x that stores theidentity of those remote readers 52, 62 authorized to requestauthentication of that item. In this example, storage node 12 c storesthe remote reader identification information, and will be referred toherein as “the reader identification storage node 12 c”.

Remote Reader Registration

The first operation that will be described is registration of remotereaders 52, 62. This operation will be described with reference to FIG.7, which is a flowchart illustrating the steps involved in registering aremote reader 52, 62 with the data management system 10.

Initially, the manufacturer of the item (in this example, themicroprocessor 100) requests the data management system owner(hereinafter, “the owner”) to tag the microprocessor 100 (step 200).This involves the customer contracting with the owner to receiveauthentication services. In this example, this involves the customerpaying an initialization fee to establish an entry 180 for each type ofitem (in this example, each model of microprocessor 100) to beauthenticated, and an annual storage fee to pay for the data managementsystem owner to store the customer's information. The owner will alsosell or lease to the customer one or more remote readers 52 for themanufacturing plant 50, one or more remote readers 62 for thedistribution facility 60, and dongle 176 for each reader 52,62.

The next step is for the owner to assign a unique global identificationto the customer (step 202). The unique global identification is a uniquenumber incremented by one for each new customer. The unique globalidentification is loaded by the owner into the non-volatile storage 158of each reader 52, 62 sold or leased to that customer.

The next step (step 204) is to create a master entry in the data store12 to allow the customer to populate entries under that master entry forthe different models of microprocessors 100 to be authenticated. In thisexample, only one model of microprocessor is to be authenticated (and noother types of items are to be authenticated), so there will only be oneentry for this customer. Each customer may have multiple entries, forexample, a customer may have ten different models of microprocessors,and five different models of north bridge memory management controllers.In such an example, the customer would have fifteen different entries.Creation of a master entry does not restrict the number of entries thata customer may populate.

To create a master entry, the owner provides the UCC Company Prefix andthe global identification of the customer to the data store 12 togetherwith the identities (that is, the MAC addresses in this embodiment) ofthe remote readers 52, 62 permitted to request authentication of thesecurity feature 110.

The next step (step 206) is to install the readers 52, 62 into theappropriate customer facilities, that is, the manufacturing plant 50 andthe distribution facility 60. This is performed by connecting thereaders 52, 62 to the appropriate concentrator 54, 64.

Each reader 52, 62 may be provided with a keypad so that an operator hasto enter an access code prior to the reader 52, 62 allowing the operatorto access any of the reader's functions. Alternatively, a biometricinput device (e.g., a fingerprint sensor), a card reader, or the likemay be used to restrict access to the reader 52, 62 to one or moreauthorized users. For readers 52, 62 located in secure facilities, noadditional access codes or permissions may be required. Additionally oralternately, a keypad, a biometric input device, a card reader or thelike may be used to identify a user of a reader for association of theuser with the package and/or item in a data management system asdescribed in, for example, the fourth aspect of the invention(authentication system) disclosed hereinabove.

The next step (step 208) is to send a registration request from thereaders 52, 62 to the data management system 10. This involves switchingthe readers 52, 62 to registration mode by a user pressing the functionbutton 130 repeatedly until the LCD panel 128 displays “Registration”.In registration mode, when the trigger 126 is pressed the reader 52, 62verifies that the dongle 176 is present (by reading the unique codestored in the dongle and comparing it with a dongle code in thenon-volatile storage 158. If the dongle 176 is present, the reader 52,62sends an encrypted registration request to the data management system 10via the appropriate concentrator 54, 64. The registration requestincludes the MAC address of the reader 52, 62 and the globalidentification of the customer (from the non-volatile storage 158).Where a global positioning system (GPS) unit is installed in the readers52, 62, then GPS location information may also be transmitted.

On receipt of the registration request, reader interface 44 decrypts therequest and conveys it to the secure reader authenticator 22, whichparses the registration request to obtain the MAC address of the reader52, 62 that sent the request, and the global identification of thecustomer. The secure reader authenticator 22 then accesses the datastore 12 to authenticate the reader 52, 62 (step 210). The readerinterface 44 may convey the decrypted request directly to the securereader authenticator 22, or it may transfer the decrypted request to thenon-volatile storage 30 to allow any available authenticator node 16_(x) to action the decrypted request.

To authenticate the reader 52, 62 the following authentication processis used. The secure reader authenticator 22 ascertains if the MACaddress of the reader 52, 62 sending the registration request matchesthe MAC address of permitted readers stored in the reader identificationstorage node 12 c. If there is a match, then the secure readerauthenticator 22 then ascertains if the MAC address of the permittedreader 52, 62 is associated with the global identification of thecustomer. This is implemented by searching data entry 180 for thatcustomer (based on the global identification or the UCC Company Prefix,both of which are stored in the identification information 182 of thatentry 180). If the reader information 188 for that entry 180 includes areference to a reader 52, 62 having that MAC address, then the permittedreader 52, 62 is associated with that customer.

If they are associated (that is, if the permitted reader 52, 62 is ownedor operated by (or under the authority of) the customer identified bythe global identification) then the secure reader authenticator 22conveys a registration successful communication to the secure reader 52,62. In embodiments where a GPS unit is installed in the readers 52, 62,then the GPS location information sent by the secure reader 52, 62 mayalso be validated by comparing it with location information stored inthe reader identification storage node 12 c prior to conveying aregistration successful communication to the secure reader 52, 62. Theregistration successful communication includes the system identification32 (FIG. 1), and a registration successful field.

If there is not a match between the received MAC address and permittedMAC addresses, or if the received MAC address is not associated with thecustomer that sent the registration request, then the secure readerauthenticator 22 conveys a registration unsuccessful communication tothe secure reader 52, 62. The registration unsuccessful communicationincludes the system identification 32 (FIG. 1), and a registrationunsuccessful field. The secure reader authenticator 22 adds informationabout unsuccessful registration attempts to the log file 28.

If the reader 52, 62 is successfully registered, then the data store 12updates its entries accordingly, using an update object from objectsrepository 34 (step 212). This allows that registered secure reader 52,62 to send authentication requests.

The secure module 150 also illuminates a registered icon on the LCDpanel 128 to notify a user of the reader 52, 62 that the reader 52, 62is ready to send authentication requests (step 214).

If the reader 52, 62 is not successfully registered, then the securereader authenticator 22 will not accept authentication requests fromthat secure reader 52, 62 until it has been registered. The securemodule 150 also illuminates an unregistered icon on the LCD panel 128(step 216).

If the dongle 176 is removed from the port 174, then the reader 52, 62detects this. For example, the secure module 150 may poll the dongle 176periodically to verify that the dongle 176 is present and that thecorrect code is being provided by the dongle 176. If the dongle 176 isnot present, then the reader 52, 62 transmits a de-registration requestto the data management system 10.

Association of Security Features with Barcodes

The second operation that will be described is association of thesecurity feature 110 with the barcode 106. This operation will bedescribed with reference to FIG. 8, which is a flowchart illustratingthe steps involved in requesting an entry to be populated in the datastore 12 for the type of microprocessor 100 being manufactured in theplant 50 and the particular optical signature of the security feature110 that will be applied to it.

Once the 2D barcode 106 applied to the microprocessor 100 and theparticular security feature 110 applied to that barcode 106 have beenassociated, the same security feature 110 can be routinely applied tothat type of microprocessor 100 (providing that microprocessor 100 hasthe same 2D barcode, or at least the same UCC Company Prefix). In otherwords, the association of a security feature 110 with a 2D barcode onlyneeds to occur once, and if it occurs more than once then there may be asecurity problem, such as a replay attack.

The first step is to change the mode of the registered manufacturingreader 52 to entry creation mode (step 220). This is performed by a userpressing the function button 130 repeatedly (thereby toggling throughdifferent modes) until the LCD panel 128 displays “New Entry”. If themanufacturing reader 52 is not registered, then the reader 52 will notchange to entry creation mode. In this embodiment, the readers 62 in thedistribution facility are not equipped with entry creation mode.

Once in entry creation mode, the user scans the 2D barcode 106 on themicroprocessor 100 by aligning the scanning window 120 with the barcode106 and depressing the trigger 126 (step 222). This causes the 2Dbarcode imager 122 and associated control electronics 124 to scan anddecode the barcode 106, and the read engine 140 and security module 150to read and decode the security feature 110.

In entry creation mode, the security module 150 uses defaultinterrogation parameters 170 stored in the non-volatile storage 158 andexecuted by the control electronics 154. The interrogation parameters170 relate to how long the LEDs 144 are energized, whether thespectrometer 142 records luminescence while the LEDs 144 are energizedor a preset time delay after the LEDs 144 are de-energized, and suchlike.

Once the barcode 106 and security feature 110 have been read, thesecurity module 150 then creates an association request (step 224). Anassociation request informs the data store 12 about data from a securityfeature and data from an item tagged by that security feature. In thisembodiment, the item is the microprocessor 100 and the data from asecurity feature 110 (which is lanthanide-doped silica particlessuspended in an optically transparent ink) is the spectral signature ofthe security feature 110.

To create the association request, the security module 150 constructs arequest packet and data packets having the formats shown in FIGS. 9A and9B respectively. The association request 300 comprises: customeridentification information 302 (in FIG. 9A this is provided by a globalcustomer identification field 304 and a UCC Company Prefix field 306),reader identification information 308 (in the form of a MAC address),function request information 310 (in the form of a code indicating thatthe request is an association request), timestamp information 312(generated by the timestamp generator 168 in the control electronics154), barcode data size information 314 indicating the number of bytesof 2D barcode data that will be included in the association request 300,barcode data 316 (obtained during the scanning step 222), spectralquality information 318 indicating the number of pixels covered by eachdata packet, packet number information 320 indicating the number of datapackets to follow, and actual data packets 322 a to 322 n correspondingto the packet number information 320. The actual data packets may betransmitted separately from fields 302 to 320 for more efficientcommunication.

The actual data packets 322 contain the security feature spectralinformation read during the scanning step 222. This information will bestored in the data store entry for the item having the 2D barcodeidentified by the barcode data field 316 (in this example, themicroprocessor 100). In this embodiment, each data packet 322 contains256 pixels, and there are sixteen data packets, which results in 4096pixels for the security feature spectrum.

Once the security module 150 has populated the association request 300with the relevant data, the next step is for the security module 150 toencrypt and transmit the association request 300 to the reader interface44 in the port 40 of the data management system 10 (step 226).

On receipt of this encrypted association request, the reader interface44 decrypts the request 300 (step 228). If the association request 300cannot be decrypted then the reader interface 44 responds to the remotereader 52 with a failure message (step 234), and updates the log file 28with details of the failed request. If the association request 300 iscorrectly decrypted, then the interface reader 44 conveys the decryptedassociation request 300 to the secure reader authenticator 22 (step230).

The secure reader authenticator 22 parses the association request 300 toauthenticate the reader 52 (step 232) that sent the message in a similarway to that described with reference to step 210 of FIG. 7; namely, thesecure reader authenticator 22 ascertains if the MAC address correspondsto that of a permitted registered reader 52, and if so, if the permittedregistered reader 52 is owned or operated by (or under the authority of)the customer (that is, if the global identification in the request 300matches that associated with the reader 52 in the reader identificationstorage node 12 c).

If the reader authentication step (step 232) is not successful, then thesecure reader authenticator 22 conveys a failure message to the securitymodule 150 via the reader interface 44 and the concentrator 54 (step234), and updates the log file 28 with details of the failed request.The failure message includes the unique system identification 32 and afailure field that indicates that the association request 300 was notsuccessful.

If the reader authentication step (step 232) is successful, then thesecure reader authenticator 22 creates a new entry in the data store 12under the master entry 180 for that customer (step 236) using an entrycreation object from the object repository 34. The new entry includesthe optical spectrum information contained in the data packets 322(stored in the security feature information 186), in addition to thebarcode information 316 (which is stored in the item information 184),part of which is the UCC Company Prefix 306 (which is also storedseparately in the identification information 182). The data store 12 mayinclude additional fields, such as the timestamp information 312, a hashof the 2D barcode information 316, and a transformation of the opticalspectrum information from the data packets 322.

Authentication of Items (the Microprocessor)

Once a data store entry has been created for the particular securityfeature 110 (that is, the optical luminescence spectrum emitted by thesecurity feature 110 in response to excitation) applied to themicroprocessor 100, that type of microprocessor 100 (that is, that modelof microprocessor manufactured by the customer in the manufacturingplant 50) can be subsequently authenticated as it travels through thedistribution chain.

To confirm that the security feature 110 is working correctly and/orapplied correctly, one in every batch of microprocessors 100 (forexample one in a hundred or one in a thousand microprocessors 100)manufactured may be authenticated at the manufacturing plant 50 prior toshipping to the distribution facility 60.

On arrival at the distribution facility 60, one in every batch ofmicroprocessors 100 received may be authenticated to validate that themicroprocessors 100 are genuine. The authentication process is the same,whether performed at the manufacturing plant 50 or the distributionfacility 60, and will now be described with reference to FIG. 10, whichis a flowchart illustrating the steps involved in authenticating an item(the microprocessor 100) using the data management system of FIG. 1.

The first step in the authentication process is to change the registeredmanufacturing or distribution reader 52, 62 to authentication mode (step260). This is performed by a user pressing the function button 130repeatedly (thereby toggling through different modes) until the LCDpanel 128 displays “Authentication”. If the reader 52, 62 is notregistered, then the reader 52, 62 will not change to authenticationmode.

Once in authentication mode, the user scans the 2D barcode 106 on themicroprocessor 100 by aligning the scanning window 120 with the barcode106 and depressing the trigger 126 (step 262). This causes the 2Dbarcode imager 122 and associated control electronics 124 to scan anddecode the barcode 106, and the read engine 140 and security module 150to read and decode the security feature 110.

In this embodiment, in authentication mode, the security module 150 usesdefault interrogation parameters 170 stored in the non-volatile storage158. The interrogation parameters relate to how long the LEDs 144 areenergized, whether the spectrometer 142 records luminescence while theLEDs 144 are energized or a preset time delay after the LEDs 144 arede-energized, and such like.

Once the barcode 106 and security feature 110 have been read, thesecurity module 150 then creates an authentication request (step 264).An authentication request conveys data from the security feature 110 tothe data store 12. In this embodiment, the item is the microprocessor100 and the data from the security feature 110 (which islanthanide-doped silica particles suspended in an optically transparentink) is the spectral signature of the security feature 110.

To create the authentication request, the security module 150 constructsa request packet having the format shown in FIG. 11. The authenticationrequest 330 comprises: customer identification information 332 (providedby a global customer identification field 334 and a UCC Company Prefixfield 336), reader identification information 338 (in the form of a MACaddress), function request information 340 (in the form of a codeindicating that the request is an authentication request 330), timestampinformation 342 (generated by the timestamp generator 168 in the controlelectronics 154), barcode data size information 344 indicating thenumber of bytes of 2D barcode data that will be included in theauthentication request 330, barcode data 346 (obtained during thescanning step 262), an algorithm identification code 348 (whichidentifies the specific algorithm 172 that was used to read the securityfeature 110), a sample size field 350 that indicates the number of bytessampled (that is, the number of pairs of fields to follow), and pairs ofdata points fields 352 a, b, . . . n. Each pair of fields 352 containinga peak position and its associated intensity, with the number of datapoints fields 352 being indicated by the sample size field 350. Thepairs of data points fields 352 may be transmitted with fields 334 to350, or may be transmitted separately from fields 334 to 350 for moreefficient communication.

The pairs of data points fields 352 contain portions of, or derivedfrom, the security feature spectral information read during the scanningstep 262.

Once the security module 150 has populated the authentication request330 with the relevant data, the next step is for the security module 150to encrypt and transmit the authentication request 330 to the readerinterface 44 in the port 40 of the data management system 10 (step 266).

On receipt of this encrypted authentication request, the readerinterface 44 decrypts the request 330 (step 268). If the authenticationrequest 330 cannot be decrypted then the reader interface 44 responds tothe remote reader 52, 62 with a failure message, and updates the logfile 28 with details of the failed request. If the authenticationrequest 330 is correctly decrypted, then the interface reader 44 conveysthe decrypted authentication request 330 to the secure readerauthenticator 22 (step 270).

The secure reader authenticator 22 parses the authentication request 330to authenticate the reader 52, 62 (step 272) that sent the message in asimilar way to that described with reference to step 210 of FIG. 7;namely, the secure reader authenticator 22 ascertains if the MAC addresscorresponds to that of a permitted registered reader 52, 62, and if so,if the permitted registered reader 52, 62 is owned or operated by (orunder the authority of) the customer (that is, if the globalidentification in the request 330 matches that associated with thereader 52, 62 in the reader identification storage node 12 c).

If the reader authentication step (step 272) is not successful (forexample, because the MAC is not present, or present but not correct, orbecause the global identification in the request is not a recognizedglobal identification, or because it is a recognized globalidentification but does not correspond to the global identificationassociated with that MAC address), then the secure reader authenticator22 conveys a failure message to the security module 150 via the readerinterface 44 and the appropriate concentrator 54, 64 and updates the logfile 28 with details of the failed request. The failure message includesthe unique system identification 32 and a failure field that indicatesthat the authentication request was not successful. On receipt of afailure message from the data management system 10, the reader 52, 62displays “Authentication Failure” on the LCD panel 128 (step 274).

If the reader authentication step (step 272) is successful, then thesecure reader authenticator 22 conveys the authentication request 330 tothe security feature authenticator 20 (step 276).

The security feature authenticator 20 parses the authentication request330 to ascertain the algorithm identification code 348 and the pairs ofdata points fields 352 a, b, . . . n. The security feature authenticator20 reviews the algorithm identification code 348 to ascertain if theoptical spectrum information contained in the security featureinformation 188 needs to be transformed prior to comparing thisinformation with the information from the pairs of data points fields352. The optical spectrum information contained in the security featureinformation 188 was populated during step 236 (FIG. 8).

If the optical spectrum information needs to be transformed, then thesecurity feature authenticator 20 first accesses a pre-stored algorithm(referenced by the algorithm identification code 348) to implement therequired transformation. If the optical spectrum information does notneed to be transformed, then the security feature authenticator 20compares the information from the pairs of data points fields 352 withthe optical spectrum information contained in the security featureinformation 188 (step 278).

If the feature authentication step (step 278) is not successful, thenthe security feature authenticator 20 conveys a failure message to thesecurity module 150 via the reader interface 44 and the appropriateconcentrator 54, 64 and updates the log file 28 with details of thefailed request. The failure message includes the unique systemidentification 32 and a failure field that indicates that theauthentication request was not successful.

On receipt of a failure message from the data management system 10, thereader 52, 62 validates that the unique system identification 32corresponds to that stored in the non-volatile storage 158, and if so,displays “Authentication Failure” on the LCD panel 128 (step 274). Ifthe unique system identification 32 does not correspond to that storedin the non-volatile storage 158, then the reader 52, 62 displays anerror message, which may indicate an attempted man-in-the-middle attackon the authentication system 8.

If the feature authentication step (step 278) is successful, then thesecurity feature authenticator 20 updates the entry 180 (using theupdate object from object repository 34) to include the identity of thereader 52, 62 that requested authentication, the timestamp from field342, and any other desired information. The security featureauthenticator 20 also prepares an authenticity confirmation for sendingto the reader 52, 62 that sent the authentication request 330 (step280).

The authenticity confirmation has the format shown in FIG. 12. Theauthenticity confirmation 360 comprises: customer identificationinformation 362 (provided by a global customer identification field 364and a UCC Company Prefix field 366), reader identification information368 (in the form of a MAC address), request status information 370(which is set to indicate that the authentication request wassuccessful), timestamp information 372 (generated by the timestampgenerator 26), a system identification field 374 populated by the uniquesystem identification 32 from the shared resources 18, and a uniquetransaction identifier field 376 populated by the current value of thetransaction identifier counter 36.

The security feature authenticator 20 then sends the authenticityconfirmation 360 to the reader 52, 62 via the reader interface 44 andthe appropriate concentrator 54, 64.

On receipt of the authenticity confirmation 360, the reader 52, 62parses the authenticity confirmation 360 to validate that the systemidentification 32 corresponds to that stored in the non-volatile storage158, and then displays “Authenticated” on the LCD panel 128 (step 282).If the system identification 32 does not correspond to that stored inthe non-volatile storage 158, then the reader 52, 62 displays an errormessage.

The reader 52, 62 then stores the timestamp value from field 372 and thetransaction identifier from field 376 in non-volatile storage 158,thereby over-writing any previously stored timestamp value andtransaction identifier.

Any subsequent authentication request 330 will only be accepted by thereader authenticator 22 if the timestamp of the subsequent request isgreater than that of the last stored timestamp.

Similarly, any subsequent authenticity confirmation 360 will only betreated as authentic by a reader 52, 62 if the authenticity confirmation360 has a transaction identifier that is greater than the last storedtransaction identifier, and a timestamp that is greater than the laststored timestamp.

The reader authenticator 22 and the security feature authenticator 20may be operable to trigger an exception process in the event that anyauthentication step is not successful. The exception process mayactivate a notification object from the object repository 34 to notifythe owner and/or the customer about the unsuccessful attempt toauthenticate an item, register a reader, or to populate an entry.

On each occasion that an item (such as the microprocessor 100) issuccessfully validated, the data management system 10 may update thedata store 12 with details of the time at which the authenticationoccurred, the reader identity and location that issued theauthentication request, and any other desired information. In thisexample, storage node 12 d is used to store this information, and thereis a link in the reader information 188 to this storage node 12 d.

Control of the Remote Readers 52, 62

The fourth operation of the networked security system that will bedescribed is control of the remote readers 52, 62. For an additionalfee, the owner of the data management system 10 may transfer readingconfiguration parameters to the remote readers 52, 62 to instruct theremote readers 52, 62 about how to interrogate the security feature 110and/or process the optical response from the security feature 110. Toimplement this, the data management system 10 can periodically (forexample, daily, weekly, or monthly) supply the security modules 152 witha reader control command containing new information for theinterrogation parameters 170 and the processing algorithms 172 in thenon-volatile storage 158. Issuance of the reader control command may betriggered by a parameter issuing object from the object repository 34.

FIG. 13 illustrates the format of the reader control command 380, whichcomprises: customer identification information 382 (provided by theglobal customer identification field 384 and the UCC Company Prefixfield 386), reader identification information 388 (in the form of a MACaddress), an algorithm identification code 390 (which identifies thespecific algorithm 172 that should be used by the reader 52, 62 to readthe security feature 110, a system identification field 392 populated bythe unique system identification 32 from the shared resources 18, aunique transaction identifier field 394 populated by the current valueof the transaction identifier counter 36, timestamp information 395(generated by the timestamp generator 26), a parameters byte count 396indicating the number of algorithm parameters contained within thereader control command 380, and algorithm parameters fields 398 a, b, .. . n.

The algorithm parameters fields 398 contain the actual parameters thatwill be used by the control electronics 154 to interrogate a securityfeature 110 and to process the response detected from the securityfeature 110. For interrogation of a security feature 110, theseparameters may control: the type of excitation (where multiple differentLEDs are available to choose from), duration of excitation, any timedelay between ceasing excitation and measuring luminescence. Forprocessing the luminescence measured from the security feature 110,these parameters may also control: whether the raw wavelength andcorresponding intensity information is conveyed to the data managementsystem 10, whether only the peaks are conveyed, whether only certainpoints (whether peaks or not) are conveyed, whether a transformation isapplied to the raw wavelength and corresponding intensity information,and such like.

When a reader 52, 62 receives a reader control command 380, the reader52, 62 first validates that the unique system identification 32 from thesystem identification field 392 corresponds to that stored in thenon-volatile storage 158, and that the identifier in the uniquetransaction identifier field 394 and the timestamp information 395 areboth greater than the last transaction identification and timestampstored, respectively. If these are all validated, then the reader 52, 62updates its non-volatile storage 158 to include the new parameters. Allsubsequent attempts by the reader 52, 62 to read the security feature110 will use these newly-provided parameters.

It will now be appreciated that the requests and command 300, 330, 360,and 380 contain many fields that are identical. For example, the globalcustomer identification fields 304, 334, 364, and 384 are all the same.

If the customer desires to receive information about how many times themicroprocessors 100 have been authenticated, how many unsuccessfulauthentication attempts have been made, and such like, then the customercan access the query database 11 b from the customer's headquarters 70using a computer system 72. The query database 11 b contains a copy ofthe information stored in the data store 12 (as updated periodically).

The customer has password-protected access to a limited number ofqueries. One of these queries is to download the log file 28 for one ormore of the customer's items (for example, the microprocessor 100) usingthe customer's global identification or UCC Company Prefix. Anotherquery is to trace one of the customer's items (for example, themicroprocessor 100). This provides the customer with a track and tracesolution for the customer's items.

It will also be appreciated that this embodiment allows the owner, andother parties authorized by the owner, for example a distributor, toauthenticate a microprocessor 100 using a secure reader 52, 62.

The algorithms and parameters used to interrogate the security feature110 and process the luminescence detected are all stored in non-volatilestorage 158 that is automatically erased if an attempt is made to accessit by breaking into the security module 150.

The system also retains a log file 28 of unsuccessful attempts toauthenticate an item, such as the microprocessor 100.

Another embodiment of the present invention will now be described withreference to FIGS. 14 to 16.

In FIG. 14, a blister package 400 is shown as a perspective view. Thepackage 400 comprises an optically transparent plastic base 402,conforming to FDA requirements for plastics used to packagepharmaceuticals, sealed by a foil cover 404.

As best seen in FIG. 15, the base 402 comprises a plurality ofindividual pharmaceutical compartments 406 (sixteen are illustrated inFIG. 15, although only two of these compartments 406 are labelled). Eachcompartment 406 contains a pharmaceutical 408 (an item) to which thecompartment 406 has been conformably molded.

As best seen in FIG. 16, which shows one compartment 406 greatlyenlarged. The pharmaceutical 408 includes a coating on which an itemcode 410 can be laser written using, for example, the Pharmamark (trademark) coating available from DataLase (trade mark) which has beenapproved for use in ingestibles by the FDA.

The item code 410 is a 2D barcode that is written using a low powercarbon dioxide laser. In registration with the item code 410 is asecurity code 412 that is not visible to the human eye. The securitycode 412 is a luminophore that luminesces in the IR range of theelectromagnetic spectrum. In this embodiment, there is a unique securitycode in registration with each unique item code.

In use, a reader, such as reader 52, can be used to read both the itemcode 410 and the security code 412. In a similar way to the aboveembodiments, when the package 400 is manufactured, each compartment 406is scanned by the reader 52, and a data store records the associationbetween the item code 410 and the security code 412. To validate thepackage 400, a potential consumer of the pharmaceuticals 408, or adistributor of the pharmaceuticals, can scan a compartment 406 using thereader 52 to ensure that the pharmaceutical item code 410 matches thesecurity code 412. Such readers 52 may be located within kiosks or oncounters in retail outlets, such as pharmacies.

Various modifications may be made to the above described embodimentswithin the scope of the present invention. For example, the data storemay only have a single storage node. The architecture of the data storeis not critical to these embodiments of the invention, and anyconvenient data store architecture may be employed.

In other embodiments, only one authenticator node may be used. Wheremultiple authenticator nodes are used, the shared resources 18 may beimplemented by each authenticator node, so that there are multipleshared resources 18. Where only one authenticator node is used, a loadbalancer may not be required, nor the storage in the shared resources.

In other embodiments, the security feature may not be based on opticalproperties, for example, an RFID security feature may be used. In otherembodiments, a security feature based on optical properties (such as ahologram) may be used. In other embodiments that are based onluminescence, the security feature may be a luminophore comprising asilica matrix. The silica matrix may enclose a dye, quantum dots, or anyother convenient luminescing substance.

In the above embodiment, the remote secure readers include a uniquehardware identification implemented using a MAC address on acommunications adapter in the readers. In other embodiments, the uniqueidentification may not be based on a hardware component, and/or it maybe located in the security module of the reader.

In the above embodiment, the UCC Company Prefix was used as the index tothe data store, which enabled a barcode to be scanned and used as anindex to access the correct entry 180. In other embodiments, for examplewhere barcodes are not used, the global customer identification may bestored in the remote readers and conveyed to the data management systemeach time an entry is to be populated.

In other embodiments, the owner may populate all data entries.

In other embodiments, the secure readers may not have to be registeredprior to sending authentication requests. In other embodiments, eachcustomer may have only one security feature (that is, only one opticalsignature), so an association request may not be required. Associationrequests are advantageous where the customer decides which of aplurality of optical signatures assigned to the customer by the ownershould be associated with which product.

In other embodiments, the networked authentication system 8 may beimplemented as a closed system within a company (for example, using anintranet), so the secure readers may not require the high level ofsecurity described in the above embodiment. In such embodiments, thereaders may have little or no security.

In the above embodiment, the readers 52, 62 convey to the data store thepeak positions of the luminescence spectrum derived from the securityfeature 110; in other embodiments, the readers 52, 62 may convey theentire spectrum, or a transformation of parts of, or all of, thespectrum. If the entire spectrum is to be transmitted, the intensityvalues may be transmitted together with information about the startingwavelength, the ending wavelength, and the wavelength step betweenpoints. Any other convenient format may be used for transmitting theintensity and wavelength data.

In the above embodiment, the LCD panel 128 only displays limitedinformation. In other embodiments, the authenticity confirmation mayinclude details of the item (the microprocessor 100 in the aboveembodiment) from the item information field 184, so that these detailscan be displayed on the LCD panel 128.

In other embodiments, an authenticity confirmation may be in the form ofa certificate of authenticity that can be transmitted to andautomatically processed by other computer systems.

In the above embodiment, different barcodes having the same UCC CompanyPrefix had the same entry in the data store 12; whereas, in otherembodiments, any difference in barcodes may require a different entry inthe data store 12.

In other embodiments, the 2D barcode information received in anauthentication request 330 may be hashed by the secure readerauthenticator 22 and compared with a hash of the 2D barcode stored inthe item information 184. An authenticity confirmation 360 may not beissued unless the two hashes match. This ensures that the 2D barcode onthe item being authenticated must match the 2D barcode recorded in thedata store for that item.

In other embodiments, spatial codes other than 2D barcodes may be used,such as conventional UPC barcodes or proprietary codes.

In the above embodiment, one in every batch of microprocessors 100 isauthenticated at the manufacturing plant 50 and at the distributionfacility 60; in other embodiments, microprocessors 100 may only beauthenticated at a final destination or if returned as faulty to themanufacturer.

In the above embodiment, a separate query database 11 b is provided thatis only periodically coupled to the data store 12; in other embodiments,the transaction database 11 a may perform the functions of the querydatabase 11 b, and the customer interface 42 may be coupled to port 40.

In the above embodiment, specific data fields and data formats areprovided. These, as well as other features of the embodiment, are givenonly by way of example to aid the skilled person in implementing anembodiment. As will be evident to one of ordinary skill in this art,numerous changes may be made to these data fields and data formatswithin the scope of the present invention.

In the above embodiment, an auxiliary cryptographic device was removablycoupled to the secure module 150; in other embodiments, the securemodule may include this functionality in an internal non-removabledevice, or it may not use this functionality.

1. A package comprising: a base defining a plurality of compartments,each compartment containing an item; a cover enclosing the compartmentsto retain each item inside a respective compartment; each item carryinga unique item code, and the package including at least one uniquesecurity code; where the relationship between the unique item code andthe at least one unique security code is maintained by a database.
 2. Apackage according to claim 1, wherein the items are pharmaceuticals. 3.A package according to claim 1, wherein the package cover comprises afrangible cover.
 4. A package according to claim 1, wherein the packageincludes a unique security code associated with each compartment.
 5. Apackage according to claim 4, wherein the security code is locatedoutside the compartment.
 6. A package according to claim 4, wherein thesecurity code is located inside the compartment.
 7. A package accordingto claim 1, wherein the unique item code carried by each item is createdby a laser beam.
 8. A package according to claim 6, wherein the uniqueitem code includes the name of a pharmaceutical.
 9. A package accordingto claim 1, wherein the base comprises a plastic approved by the FDA foruse with pharmaceuticals.
 10. A package according to claim 1, whereinthe base is optically transparent to allow a reader to read the uniqueitem code and the associated unique security code by aligning the readerwith a compartment.
 11. A package according to claim 1, wherein theunique security code comprises a luminophore.
 12. A package according toclaim 1, wherein the at least one unique security code is provided onthe base.
 13. A package according to claim 1, wherein the at least oneunique security code is provided on the cover.
 14. A method of markingan item to allow validation and tracing of that item, the methodcomprising: providing a package having an optically transparent basedefining a plurality of compartments; inserting individual items intoeach of the compartments; writing a unique item code on each item; andapplying a unique security code in registration with each compartment,to allow association of the item code and the security code for eachcompartment.
 15. A method according to claim 14, wherein the step ofapplying a unique security code in registration with each compartmentincludes applying the unique security code to the base.
 16. A methodaccording to claim 14, wherein the step of applying a unique securitycode in registration with each compartment includes applying the uniquesecurity code to a cover enclosing the base.
 17. A package comprising: asealed container defining an optically transparent portion and includingat least one unique security feature; and an item located within thecontainer, and carrying a unique item code, where the item code isaligned with the optically transparent portion to facilitate reading ofthe item code from outside the package; wherein a remote database storesthe relationship between the unique security feature and the unique itemcode to allow authentication of the item.